Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.

Server 2008 Terminal Services and Remote Desktop Services

Basic application access is possible without Citrix, and Server 2008 R2 adds on

some key features.

Terminal Services on Server 2003

• Windows Server 2003 allowed user access to terminal services, but only to the full desktop experience on the server.

• This was often confusing for the users who were less computer-savvy.

• Required firewall to be open on port 3389.• Need to add on Citrix Presentation Server to allow

users to only select the application they wanted, without being confused by the addition of the full desktop.

2

New with Windows Server 2008

• Support for higher resolution desktops and spanning of multiple monitors (if in a horizontal formation)

• Max resolution is now 4096x2048 instead of 1600x1200

• Plug and Play Device Redirection for Media Players and Cameras

• Single Sign-On supported from Vista workstations• Printing enhanced with TS Easy Print

• Requires client to have RDC 6.1 and .NET Framework 3.0 SP1

• TS RemoteApp, TS WebAccess and TS Gateway(Also includes TS Licensing and TS Session Broker)

3

Terminal Services RemoteApp

• RemoteApp programs are accessed through Terminal Services but appear to be running locally on the client machine.

• Multiple applications will share the same Terminal Services session.

• Requirements:• Clients must be either Server 2008, XP SP3,

Vista SP1 or Windows 7• Must be running RDC 6.1 (include with above

OSes)• Terminal Services Web Access must be used

to access the RemoteApp programs.

4

Terminal Services Web Access

• Users can visit a web site to access a list of available RemoteApp programs.

• Presents an experience similar to Citrix Presentation Server.

• Also allows access to full terminal service desktop if the user has access rights.

5

Terminal Services Gateway

• TS Gateway uses RDP (Remote Desktop Protocol) over HTTPS to establish a secure connection between remote users and the terminal service machine.

• No VPN required.• No need to open port 3389. Uses port 443

instead.• Policies can be configured to limit who can

connect, what they can connect to, if device or disk redirection is allowed or if smart card authentication is required.

• TS Gateway can also be integrated with NAP for additional security.

• An externally trusted SSL certificate is require for the gateway server.

6

Basic Setup Diagram

7

• The TS Gateway machine has a external IP address with the firewall open for SSL•The TS Web Access is installed on the same machine as the Gateway•The TS RemoteApp server has all the published applications installed

TS Gateway Snap-In

8

TS RemoteApp Snap-In

9

What’s different from Citrix?

• Users are prompted to log on twice – once to access the application web page and then again to launch the first program from the RemoteApp server.

• Any additional programs launch use the same TS session and does not prompt for another password. (Server 2008 R2 improves the single sign-on experience)

• With Server 2008, all the applications published on the RemoteApp server are available to every user

• Server 2008 R2 allows for filtering the applications show via security groups, but that not a native feature in Server 2008.

• No support for Mac with the current Mac version of the RDC client. Requires

• Requires Internet Explorer for Active-X support.

10

What’s changed with Server 2008 R2?

• Terminal Services was renamed to “Remote Desktop Services”

• Improved multi-display support – now supports displays with different resolutions (like a laptop with an external monitor connected)

• System and Logon messages can be displayed to the remote user. (RDC 7.0 client required)

• Forms based authentication allows for a more customizable logon experience that can be imbedded in a web page. Server 2008 only provides the standard Windows authentication prompt.

11

Caveat #1: XP SP3

XP SP3 supports the necessary TS ActiveX components, but they are disabled in IE 7 for enhanced security.

Client machines will have to have the following keys in the registry removed to activate the Add-On:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}

• HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2}

Caveat #2: Unsigned RDP Files

The RDP files need to be signed to prevent another few clicks for the user.

Questions?

Jennelle CrothersEmail: [email protected]

Twitter: @jkc137Blog: www.techbunny.com14

About Jennelle CrothersJennelle Crothers is a Sr. Network Administrator for The Conservation & Liquidation Office. Jennelle migrates, maintains and supports multiple Microsoft AD configurations due to the function of the Conservation & Liquidation Office which is to serve in receivership insolvent insurance companies in the State of California. She is actively involved in Pacific IT Professionals (formerly SFNTUG).

Jennelle is a Microsoft Certified Systems Engineer (MCSE): Messaging, an MCITP: Enterprise Administrator and Window 7, as well as a MCTS for Windows Virtualization and Exchange 2007. She is an MVP for the Windows Desktop Experience.

When she is not playing on server equipment she enjoys raising dogs for Guide Dogs for the Blind. She is married to her wonderful husband Dennis and they live together in San Francisco, CA.

15